Analysis

  • max time kernel
    120s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/11/2024, 23:25

General

  • Target

    34c0bd66785d17ff4bc9dec2b2f7998f80ed9ee85c2c835e9b1d47bf1a73c1e6N.exe

  • Size

    2.6MB

  • MD5

    bbf43291083500c1aa9195023fb8038c

  • SHA1

    9fe366b06a5eda3b7e58fbfb3e4cbfcca499edf1

  • SHA256

    d0608ed4f5d17b8e9fe55fd59f06f51c3be3a850d0a9edb83b096aeac4296515

  • SHA512

    577282a24e7dab7994308f36e95e2fd0665f8866170d810503cd0f6a2dbf3022d9e5d30ccfc352596ed917b54fc7a07f891446cd0a0e0902ff31e4b93fff24f7

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBeB/bS5:sxX7QnxrloE5dpUpZbg

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\34c0bd66785d17ff4bc9dec2b2f7998f80ed9ee85c2c835e9b1d47bf1a73c1e6N.exe
    "C:\Users\Admin\AppData\Local\Temp\34c0bd66785d17ff4bc9dec2b2f7998f80ed9ee85c2c835e9b1d47bf1a73c1e6N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:5032
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1076
    • C:\Adobe2R\xbodloc.exe
      C:\Adobe2R\xbodloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:5084

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Adobe2R\xbodloc.exe

          Filesize

          2.6MB

          MD5

          c90d6a36c4003714c0d8ff1a76c07712

          SHA1

          28593530449cb940e93920e82ff4e78b1c1bc93b

          SHA256

          95d38a02bed3064364d4a067e4b085d244472222aa201666013a925b48b3e0f6

          SHA512

          4035df6bd79f366b39a318aab4c26fb0b754a4512d773856a362480064d972e6969c338ed46d5dae9053f50693864afed8ec73fe9b9b5876e4ad456bf0c4e88d

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          197B

          MD5

          866e640905701764d5dc13cfc014e9ac

          SHA1

          1f7bd6fbca4813bc7b8ba391da6540cc315f8d82

          SHA256

          58f6e33b3e720d4166d81cc1c6d3060573aa6ea178c194111ecac74b67a45aae

          SHA512

          2bfcac98470e27f4a3312ff6d0ba3aa4d28f583b2830f8cf42c18daa9d374621b4e22ed1841da41887c88858917b7a712ffbb8cdb5e43b02b772aaf1b3f2d59b

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          165B

          MD5

          c45cedcfb6f3705734821193e9edd249

          SHA1

          51a9e452db15153363aefe32746109ac949d8806

          SHA256

          ae2491e91fcdda13b59188ae4a4cfd882c2ce5e1033b22ae65c91cebca9e690b

          SHA512

          21b2ed4c1e2c29666c61e115ae31753d158144d41d3edebc622aabb1572b6dc02098077d94e4b0a38f24b61f7a128b26d7675331dc45253175ec440d2f21ae65

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe

          Filesize

          2.6MB

          MD5

          3e064563d6efda5d0bebdd22cb763538

          SHA1

          20385b93fe8375153c32aa9526eef83778031e2e

          SHA256

          5f325226ca6b6a14e7110d65974a52444f6098d1ec23dfd05b72264fef628892

          SHA512

          0b6866c07b9c906d8d3779fdcb43e74a8da88985a75827dad7dd3a09441aa6d402e6aff4b7753684c17ccba5e0745108e5f1c48efddd68bf2e3fa3ac84fcbb3e

        • C:\Vid8I\dobaec.exe

          Filesize

          109KB

          MD5

          1dc564368666ae3d07f1eab8a3fcef8d

          SHA1

          08406dc2148796ef6b28846eca4603bdafd942ad

          SHA256

          66ba85659792ef388c2945a4375ffad35597aa6beb01ab8304e91e9a8a77a981

          SHA512

          935fa6d5b9f12b2780eefc61d6cbd388cacda152585bff3741f099dc71c742739dfd47ac5e8793ae8e94546257de357cbf7794868537b4312c00883b0d432628

        • C:\Vid8I\dobaec.exe

          Filesize

          159KB

          MD5

          69d5d8a5560a569d4b62991e3ff1e5e9

          SHA1

          ca80bff24ce364fa2f4c6fd68c798726c224500a

          SHA256

          c819e33858d1a1135119da386dc51661820900c8eb1d72966a7ee1833b7eff95

          SHA512

          5813a83da0e87f30293bf3a838af171225bea1d87e929a588d160008634712911192e87ee9c8860089b8d408d0f17ea963ada5f12a1f407e5d1b3b2d8b634cbe